babyishfandomcom-20200214-history
AppArmor
| released = | latest release version = 2.11.0 | latest release date = | latest preview version = 2.12.0 | latest preview date = | programming language = C, Perl, C++, sh | operating system = Linuks | platform = | language = | status = | genre = Sekyuriti | license = GNU General Public License | website = }} AppArmor ("App'''lication '''Armor") wa Linuks körnol sekyuriti mojul, allowing sistèm administāraktā tu ristrikt progrems' capabilities with per-program profiles. Profiles can allow capabilities like network access, raw socket access, and the permission to read, write, or execute files on matching paths. AppArmor supplements the traditional Unix discretionary access control (DAC) model by providing mandatory access control (MAC). It was included in the mainline Linux kernel since version 2.6.36 and its development has been supported by Canonical since 2009. Komponènts Akkordiŋ tu AppArmor dè webpeij dup OpenSUSE, AppArmor-wa folowen päkeijs konteiniŋ : * apparmor: This provides the system initialization scripts needed to use the AppArmor Mandatory Access Control system, including the AppArmor Parser which is required to convert AppArmor text profiles into machine-readable policies that are loaded into the kernel for use with the AppArmor Linux Security Module. * libapparmor-perl: AppArmor library Perl bindings. This provides the Perl module that contains the language bindings for the AppArmor library, libapparmor, which were autogenerated via SWIG. * libapparmor1: Changehat AppArmor library. This package provides the shared library used for making use of the AppArmor profile and changehat functionality, as well as common log parsing routines. * apparmor-profiles * apparmor-utils * apparmor-parser * yast2-apparmor * apparmor-docs Diteils In addition to manually creating profiles, AppArmor includes a learning mode, in which profile violations are logged, but not prevented. This log can then be used to generate an Apparmor profile, based on the program's typical behavior. AppArmor is implemented using the Linux Security Modules (LSM) kernel interface. AppArmor is offered in part as an alternative to SELinux, which critics consider difficult for administrators to set up and maintain. Unlike SELinux, which is based on applying labels to files, AppArmor works with file paths. Proponents of AppArmor claim that it is less complex and easier for the average user to learn than SELinux. They also claim that AppArmor requires fewer modifications to work with existing systems: for example, SELinux requires a filesystem that supports "security labels", and thus cannot provide access control for files mounted via NFS. AppArmor is filesystem-agnostic. Kitadè sistèms AppArmor represents one of several possible approaches to the problem of restricting the actions that installed software may take. The SELinux system generally takes an approach similar to AppArmor. One important difference is that SELinux identifies file system objects by inode number instead of path. This means, for example, while a file that is inaccessible may become accessible under AppArmor when a hard link to it is created, SELinux would still deny access through the newly created hard link, since the underlying data that is referenced by the inode would be the same. SELinux and AppArmor also differ significantly in how they are administered and how they integrate into the system. Isolation of processes can also be accomplished by mechanisms like virtualization; the One Laptop per Child (OLPC) project, for example, sandboxes individual applications in lightweight Vserver. In 2007, the Simplified Mandatory Access Control Kernel was introduced. In 2009, a new solution called Tomoyo was included in Linux 2.6.30; like AppArmor, it also uses path-based access control. Aveilàboliti AppArmor was first used in Immunix Linux 1998–2003. At the time, AppArmor was known as SubDomain, a reference to the ability for a security profile for a specific program to be segmented into different domains, which the program can switch between dynamically. AppArmor was first made available in SLES and openSUSE and was first enabled by default in SLES 10 and in openSUSE 10.1. In May 2005 Novell acquired Immunix and rebranded SubDomain as AppArmor and began code cleaning and rewriting for the inclusion in the Linux kernel. From 2005 to September 2007, AppArmor was maintained by Novell. From Novell to now SUSE is the legal owner of the trademarked name AppArmor. AppArmor was first successfully ported/packaged for Ubuntu in April 2007. AppArmor became a default package starting in Ubuntu 7.10, and came as a part of the release of Ubuntu 8.04, protecting only CUPS by default. As of Ubuntu 9.04 more items such as MySQL have installed profiles. AppArmor hardening continued to improve in Ubuntu 9.10 as it ships with profiles for its guest session, libvirt virtual machines, the Evince document viewer, and an optional Firefox profile. AppArmor was integrated into the October 2010, 2.6.36 kernel release. AppArmor has been integrated to Synology's DSM 5.1 Beta in 2014. Biulding AppArmor-wa sōrskoud kompailiŋ from bai git: $ git clone git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor Cloning into 'linux-apparmor'... remote: Counting objects: 5159038, done. remote: Compressing objects: 100% (790107/790107), done. Receiving objects: 100% (5159038/5159038), 984.91 MiB | 1.04 MiB/s, done. remote: Total 5159038 (delta 4329219), reused 5157309 (delta 4328660) Resolving deltas: 100% (4329219/4329219), done. Checking connectivity... done. Checking out files: 100% (39730/39730), done. Si osou * Linux Intrusion Detection System (LIDS) * Systrace * Grsecurity Riförènses Ikstörnol liŋks * * * * AppArmor Wiki * AppArmor description from openSUSE.org * LKML thread containing comments and criticism of AppArmor * Apparmor packages for Ubuntu * Counterpoint: Novell and Red Hat security experts face off on AppArmor and SELinux * http://www.novell.com/linux/security/apparmor/ Category:Linuks sekyuriti softwär Category:Linux kernel features